Mobile Tunnels Fail After 2.2.2 upgrade



  • We recently upgraded from a 2.1.X version (i don't recall the X part at this time) and previously had perfectly working ipsec mobile tunnels.

    After the upgrade the connection stalls out with

    Client:

    2015-06-21 16:55:48 vpnc version 0.5.3
    2015-06-21 16:55:48 IKE SA selected psk+xauth-aes256-sha1
    2015-06-21 16:55:48 NAT status: this end behind NAT? YES – remote end behind NAT? YES
    2015-06-21 16:55:48 ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
    2015-06-21 16:55:48 configuration response rejected:  (ISAKMP_N_PAYLOAD_MALFORMED)(16)

    Server:

    Jun 21 17:32:27 charon: 05[CFG] <con1|12>lease 10.255.0.193 by 'jrudolph' went offline
    Jun 21 17:32:27 charon: 05[IKE] <con1|12>deleting IKE_SA con1[12] between XXXXXXXXXXXXX….XXXXXXXXXXXX
    Jun 21 17:32:27 charon: 05[IKE] <con1|12>deleting IKE_SA con1[12] between XXXXXXXXX…XXXXXXXXXXXXXXX
    Jun 21 17:32:27 charon: 05[IKE] <con1|12>received DELETE for IKE_SA con1[12]
    Jun 21 17:32:27 charon: 05[IKE] <con1|12>received DELETE for IKE_SA con1[12]
    Jun 21 17:32:27 charon: 05[ENC] <con1|12>parsed INFORMATIONAL_V1 request 54 [ HASH D ]
    Jun 21 17:32:27 charon: 05[NET] <con1|12>received packet: from XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Jun 21 17:32:27 charon: 11[IKE] <con1|12>received PAYLOAD_MALFORMED error notify
    Jun 21 17:32:27 charon: 11[IKE] <con1|12>received PAYLOAD_MALFORMED error notify

    Some background on clients and settings:

    Using Shimo Client on OSX with a "CISCO IPSEC" profile and VPNC as internal system.

    Using PSK + Xauth (all users properly assigned xauth VPN permissions… as it was working fine before upgrade)

    PHASE 1 Settings:

    Key Exchange: V1
    IP: V4
    Interface: Carp Virtual IP Interface

    Auth Method: Mutual PSK + XAuth
    Negotiation: Aggressive
    My Id: My IP Address
    Peer Id: UDN user@domain.com
    psk:  <psk here="">Enc: AES256
    Hash: SHA1
    DH Group: 2

    NAT-T: Force
    DPD: On 10/5

    PHASE 2 Settings:

    Mode: TunIP4
    Type: Network
    No NAT/BINAT

    Protocol: ESP
    Enc: AES256
    Hash: SHA1
    PFS Key Group: 2
    Lifetime: 28800

    Mobile Clients Settings:

    User Auth: Local DB
    Group Auth: System

    Network List Checked
    Save XAuth Checked (I think this was unchecked before but got checked during my 6 hours trying to make this work)

    Phase 2 PFS Group: Checked and 2

    Client:

    Using a "Cisco" profile in Shimo with the usual group/PSK settings plus user XAuth

    Sample VPNC config from client

    Vendor cisco
    IPSec gateway X.X.X.X
    IPSec ID user@domain.com
    Xauth username jrudolph
    Interface mode tun
    IKE Authmode psk
    NAT Traversal Mode force-natt
    Local Port 500

    Expert Configuration:

    Interface MTU 1428

    I have tried EVERYTHING and can only seem to make it worse if any change at all.

    I know there was a switch away from raccoon to strongswan but I can't find any docs out there that are not for the racoon version.

    Any help would be appreciated.

    Thanks,
    Jody</psk></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12></con1|12>



  • Looks like your server side is behind NAT? In that case, you need to change the P1 from "My IP Address" to "IP address" and specify the public IP there.
    https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation



  • @cmb:

    Looks like your server side is behind NAT? In that case, you need to change the P1 from "My IP Address" to "IP address" and specify the public IP there.
    https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

    No, server side is on public IP. I noticed that too and what caused it was "force NAT" setting on PFSense. I unchecked that and now see the same problem (except for that part) as below

    2015-06-21 18:54:31 State changed to: Contacting (before: Disconnected)
    2015-06-21 18:54:31 Enter IPSec secret for vpn@vaspian.com@X.X.X.X:
    2015-06-21 18:54:31 Enter password for jrudolph@X.X.X.X:
    2015-06-21 18:54:31 vpnc version 0.5.3
    2015-06-21 18:54:31 IKE SA selected psk+xauth-aes128-sha1
    2015-06-21 18:54:31 NAT status: this end behind NAT? YES – remote end behind NAT? no
    2015-06-21 18:54:31 ---!!!!!!!!! entering phase2_fatal !!!!!!!!!---
    2015-06-21 18:54:31 configuration response rejected:  (ISAKMP_N_PAYLOAD_MALFORMED)(16)

    I have both sides set to "auto" NAT now.

    Thanks for the reply, though. Seems something else is the issue. Hoping someone has seen this and can help.



  • Ah, yeah when you force there that'll also make the client see it that way.

    Could you get me into your system, or a copy of your config? PM me and we can arrange details. That definitely all works in general, so I'm not sure what the issue could be.



  • Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.

    It worked before with Shrewsoft/Android and iPhone.



  • @rightnow:

    Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.

    It worked before with Shrewsoft/Android and iPhone.

    I've read other reports (on various other forums) of the same before i came here and posted. All were different clients and 2.1.x upgrading to 2.2.x.

    i was amazed no one had mentioned it here.

    Is this possibly something that could happen to the upgrade procedure?



  • I have verified this same error is the result when using a bare (fresh compiled) installation of VPNC

    this is an interactive, non-config-file, psk/xauth session attempt.

    Jodys-MacBook-Pro:vpnc jrudolph$ sudo /usr/local/sbin/vpnc
    Enter IPSec gateway address: X.X.X.X
    Enter IPSec ID for X.X.X.X: user@domain.com
    Enter IPSec secret for user@domain.com@X.X.X.X:
    Enter username for X.X.X.X: jrudolph
    Enter password for jrudolph@X.X.X.X:
    configuration response rejected:  (ISAKMP_N_PAYLOAD_MALFORMED)(16)

    Something about Strongswan and VPNC do not play nice (in this scenario)



  • @rightnow:

    Having the same issues. It worked in 2.1.5 but not in 2.2.1. Tried 2.2.2 today and it still doesnt work.

    It worked before with Shrewsoft/Android and iPhone.

    If you're using PSKs defined in the user manager or on vpn_ipsec_keys.php, there was an issue there until 2.2.3 for mobile clients.

    Most of the remainder of mobile IPsec issues are one of these three:
    https://doc.pfsense.org/index.php/Upgrade_Guide#Problem_in_racoon_with_aggressive_mode_and_NAT-D
    https://doc.pfsense.org/index.php/Upgrade_Guide#Mobile_client_users.2C_verify_Local_Network
    https://doc.pfsense.org/index.php/Upgrade_Guide#Stricter_Phase_1_Identifier_Validation

    jrudolph's issue with vpnc looks to be unrelated to those, I'm looking into it now. It wouldn't be the same issue with Shrewsoft or Android or iOS. Please review the above links, and start your own thread with info (IPsec logs especially) if you're still having issues.



  • There are either issues in vpnc when connecting to strongswan, or in strongswan itself. Configs that work fine with the built-in IPsec client in iOS and OS X, Shrewsoft, and others fail with vpnc where it should function the same as the others. My gut feel is it's a vpnc issue of some sort that racoon just didn't trigger for some reason, given all the other similar clients work fine in the same circumstance. There are a number of instances of people using vpnc with strongswan, though many of those date back quite some time. I updated the bug ticket and will revisit as soon as time permits (in the process of getting 2.2.3 to release this week).
    https://redmine.pfsense.org/issues/4784


Log in to reply